Hello,
I'm trying to customize my response to rate-limited requests by keeping
limit_req_dry_run on, and using an if statement depending on the value of
$limit_req_status:
This works as expected:
limit_req_zone $binary_remote_addr zone=one:1m rate=2r/m;
server {
listen 80;
server_name localhost;
location / {
# set rate limiting for this location
limit_req zone=one burst=10 nodelay;
limit_req_dry_run on;
add_header X-my-var "$myvar" always;
if ($limit_req_status = "REJECTED_DRY_RUN") {
add_header X-custom-header "rejected" always;
return 400 'rejected';
}
root /usr/share/nginx/html;
index index.html;
}
}
But once I replace root and index with a proxy_pass, the whole thing stops
working:
limit_req_zone $binary_remote_addr zone=one:1m rate=2r/m;
server {
resolver 8.8.8.8;
listen 80;
server_name localhost;
location / {
set $myupstream "myurl.com";
# set rate limiting for this location
limit_req zone=one burst=10 nodelay;
limit_req_dry_run on;
add_header X-limit-req-status "$limit_req_status" always;
if ($limit_req_status = "REJECTED_DRY_RUN") {
add_header X-custom-header "rejected" always;
return 400 'rejected';
}
proxy_pass http://$myupstream;
}
}
I added $limit_req_status to my log_format and can confirm that the value of
$limit_req_status does get set to "REJECTED_DRY_RUN". I also see the header
"X-limit-req-status" from the request set to "REJECTED_DRY_RUN".
I'm assuming the issue is the way Nginx evaluates if statements that have
unset variables at the beginning of the request? If so, any pointers on how
to get this working? Thank you!
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294407,294407#msg-294407
Hi guys
a novice here so go easy on me with this question:
having multiple 'listen' with IPs or, just one 'listen' with a hostname
which resolves to more than one IP - is it possible to tell Nginx not
fail when one of IPs is absent, does not exist?
many thanks, L.
Hello,
Is there a way to log individual websocket messages going through a nginx
server setup to proxy websocket as explained here
https://nginx.org/en/docs/http/websocket.html ?
-Chinmay
I had a wordpress blog and was working on Apache. I migrated the blog to
Nginx + php-fpm. But i have a problem with this.
My blog has RSS with example.com/feed URL , and i could see the feeds with
paged like this example -> http://www.kodcu.com/feed/?paged=45.
But in Nginx, this paged RSS urls dont work with my config. /feed and
/feed/?paged=X URLs shows top 10 content.
My nginx.conf same as below. How can i handle this problem?
user root root;
worker_processes 2;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 2;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
access_log off;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/html text/plain text/css application/json
application/x-javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Virtual Host Configs
##
index index.php index.html index.htm;
## See here: http://wiki.nginx.org/WordPress
server {
server_name example.comwww.example.com;
root /var/www/example.com;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# This is cool because no php is touched for static content
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
}
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,238692,238692#msg-238692
I want to create a CLI app (in this case named CLI_APP), that will output
json and can be accessed via web.
In Linux terms, it will look like:
Request | Web_Server | CLI_APP | ADD_UI | Web_Server > Response
Now, I will run the app like `CLI_APP --output json`. Here, I am saying
that the CLI_APP will output json (for REST API).
Here, `ADD_UI --output web` will add HTML, CSS, JS etc. to the JSON output.
Can Nginx help me send the requests to CLI_APP via STDIN and serve the
final output of ADD_UI --output web?
Thanks and Best Regards,
Ahmad Ismail
Hello,
I have a real server placed behing my reverse proxywww server 192.168.1.10 <---> 192.168.1.20 reverse proxy <---> NAT Firewall <---> Interrnet <---> Client on Internet
My configuration on my reverse proxy (192.168.1.20) looks like that location ^~ / {
proxy_pass http://192.168.1.10:80;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer "http://app.mydomain.org";
}
My configuration on my www server (192.168.1.10) on the vhost looks like thatserver {
...
access_log /var/log/nginx/mylogs.mydomain.org.access.log xforwardedLog; error_log /var/log/nginx/ mylogs.mydomain.org.error.log;
and in nginx.conf
http {
...
log_format xforwardedLog '$remote_addr forwarded for $http_x_real_ip - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"';
On my www server 192.168.1.10 I can see the access logs 192.168.1.20 forwarded for 54.38.10x.x - - [30/Jun/2022:13:44:38 +0200] "GET / HTTP/1.0" 200 7112 "http://app.mydomain.org" "Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1"And it works correctly for me because I can see the IP of the user on the Internet
But on the error.log I don't see the IP of the user on the Internet2022/06/28 16:12:27 [error] 45747#0: *11 access forbidden by rule, client: 192.168.1.20, server: app.mydomain.org, request: "GET /.git/config HTTP/1.0", host: " <MY PUBLIC IP>", referrer: "http://app.mydomain.org"So here as you can see in the logs my client 192.168.1.20 is the reverse proxy and not the client on the Internet
So in access logshttp://nginx.org/en/docs/http/ngx_http_log_module.htmlI can get the IP of the Internet use
How can I get the IP of the Internet user when it generates an error log ?
Thank you
Hi all, I have a CLI client and server written in Go Currently, they are
communicating via a socket connection and it's a server streaming connection
Now I want to have an Nginx proxy between these two
Is it possible to configure the normal socket connection in Nginx? How do
that, and what all code changes & configuration changes I need to do
There's not much on the internet on this on socket connection in Nginx I was
wondering if it's possible or not
//my client code:
func getStreammessages() {
connection, err := net.Dial("tcp", "2.221.29.137:9988")
_, err = connection.Write([]byte(sendIDtoServertoGetStream))
for {
mLen, err := connection.Read(buffer)
//some logic to print the message stream
}
}
//my server code:
func StartStreamServer() {
server, err := net.Listen("tcp", "2.221.29.137:9988")
defer server.Close()
for {
connection, err := server.Accept()
go registerClient(connection)
}
}
func registerClient(connection net.Conn) {
buffer := make([]byte, 1024)
mLen, err := connection.Read(buffer)
var sendIDtoServertoGetStream message
err = json.Unmarshal(buffer[:mLen], &sendIDtoServertoGetStream)
}
//strem to client from message queue
func StreamMessageToCliCLient(connection net.Conn) {
_, err = connection.Write(messageString)
}
Have anyone done this before
currently, I am doing this in my Nginx (nginx.conf file) which is running in
the same VM as my server
stream {
server {
auth_basic off;
proxy_ssl off;
listen 80;
#TCP traffic will be forwarded to the proxy_pass #proxy_pass
3.111.69.167:9988;
proxy_pass 127.0.0.1:8899;
}
}
I want to open Port 80 and Internally proxy pass to my server,
currently getting 400 status code, when I do this, and its not passing my
request to my server
Can you pls help Thank you
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294594,294594#msg-294594
Hi All,
Two of my sites have suffered problems since I updated them to https,
from http. In fact since the latest
scheduled update by certbot.
The home page of coachmaster.co.uk should be a log in screen.
Brave shows me
This site can’t provide a secure connection
coachmaster.co.uk sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
I think the protocol message it doesn't like is Upgrade-Insecure-Requests: 1
Edge is really informative:
The connection for this site is not secure coachmaster.co.uk sent an
invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
Browser: Brave Version 1.40.105 Chromium: 103.0.5060.53 (Official
Build) (64-bit)
All others I've tried also fail.
nginx version 1.21.6
openSSL version 1.1.1.n
special compile.
certbot applies configuration of
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
This last is all one line.
The server block(s) for the site are is (removing a lot of comments to
save space).
------------- file begins ----------------
# redirect from http at bottom of file
server {
server_name coachmaster.co.uk www.coachmaster.co.uk;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-Xss-Protection "1; mode=block" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem;
limit_req zone=ip burst=12 delay=8;
location ^~ /Avatars {
limit_req zone=fp burst=70 nodelay;
}
root /var/www/coachmaster.co.uk/htsecure;
access_log /var/log/nginx/coachmaster.co.uk.access.log;
# error_log /var/log/nginx/error.log; set in nginx.conf
index index.php;
location = /Coachmaster.html {
rewrite ^(.*) http://thecoachmasternetwork.com/software/;
}
location = / {
rewrite ^ /index.php last;
}
location /easyrtc {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# serve php files via fastcgi if the file exists
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param CENTRAL_ROOT $document_root;
fastcgi_param RESELLER_ROOT $document_root;
fastcgi_param ENVIRONMENT production;
fastcgi_param HTTPS ON;
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
}
# serve static files
try_files $uri $uri/ /index.php;
expires 30m;
location /publish {
nchan_publisher;
nchan_channel_id $arg_id;
nchan_channel_id $arg_id;
nchan_message_buffer_length 10;
nchan_message_timeout 90s;
}
location /activity {
nchan_subscriber;
nchan_channel_id $arg_id;
}
listen 443 ssl; # managed by Certbot
ssl_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem; # managed by
Certbot
ssl_certificate_key
/etc/letsencrypt/live/coachmaster.co.uk-0001/privkey.pem; # managed by
Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.coachmaster.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = coachmaster.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name coachmaster.co.uk www.coachmaster.co.uk;
listen 80;
return 404; # managed by Certbot
}
------------ end of file -----------
I have inserted a blank line after long lines that wrap.
According to the UptimeRobot the site is up.
The service at
https://www.ssllabs.com/ssltest/analyze.html?d=coachmaster.co.uk give no
obvious errors,
except that it shows the TLS 1.2 protocol NOT enabled.
I'm way out of my depth now. Can anyone suggest something that is not
weakening the security.
Regards
Ian
--
Ian Hobson
Tel (+66) 626 544 695